some ideas to flesh out more of vfs_full_audit's end all,
be all, capabilities list...
# currently possible but not sexy
full_audit:success = <list all 90 some ops, minus a few>
full_audit:failure = all
# it would be slick to have something like this to skip
# common or uninteresting entries. a little code added
# to init_bitmap() should do the trick nicely.
full_audit:success = all !readdir !telldir !closedir
full_audit:failure = all
# for even more fun, add op classes that can be added to
# or redefined by the user. and have the definitions
# be additive as they are parsed rather than splitting the
# conf lines with \ if that's even possible.
full_audit:oc = noise = readdir telldir closedir ...
full_audit:oc = always = create delete rename ...
full_audit:oc = ifspace = chmod ...
full_audit:oc = because = oc_ifspace oc_noise connect
full_audit:success = all !oc_noise !oc_ifspace
or
full_audit:success = oc_always oc_ifspace
# and log to a file in do_log() without going through syslog.
full_audit:logfile = /<wherever>
full_audit:logfile = log.full_audit # no anchor, puts in usual logdir

A few words on the last patch. It implements VFS operation classes by
having the user to define a list of classes he implements.
For example :
full_audit:classes = SMBTrafficAnalyzerV1 Important
Here, the user declares two classes.
The user must then define the classes as for example:
full_audit:SMBTrafficAnalyzerV1 = pread read pwrite write
full_audit:Important = mkdir
The user might then do the following:
full_audit:success = SMBTrafficAnalyzerV1 !Important
Classes can include classes on their own. We parse recursivly through them.
However, should the user have an ill-fated class setup, like:
full_audit:classes = SMBTrafficAnalyzerV1 Important
full_audit:SMBTrafficAnalyzerV1 = pread read pwrite write Important
full_audit:Important = mkdir !SMBTrafficAnalyzerV1
full_audit:success = SMBTrafficAnalyzerV1
we will stop scanning the classes after a recurse depth of level 20.
This allows for relativly complex class scenarios, while making sure
that self repeating class setups are disabled.

Comment on attachment 5408[details]
Enable negated ops, and allow opclasses
Hi, Holger!
As already discussed on irc: I think these classes are a bit over the top. This is code that we need to carry forever. We haven't come up with an example where the classes solve problems that can't be solved without them with a potentially more verbose configuration.
I do see the point of having the !. If we can get a patch that does only that, I think it would be perfect. This would be very easy do explain, the code should be equally trivial.
Thanks for looking at this!
Volker

As this is an enhancement and not a bug fix, I would prefer to put it in 3.6.0 instead of 3.5.1. Closing out bug report as patch has been pushed to master and 3.6 branches have not been created yet.
Thanks a lot!